{"id":10222,"date":"2026-01-29T04:03:32","date_gmt":"2026-01-29T04:03:32","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/29\/32662\/"},"modified":"2026-01-29T04:03:32","modified_gmt":"2026-01-29T04:03:32","slug":"32662","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/29\/32662\/","title":{"rendered":"Odd WebLogic Request. Possible CVE-2026-21962 Exploit Attempt or AI Slop?, (Wed, Jan 28th)"},"content":{"rendered":"\n<div>Odd WebLogic Request. Possible CVE-2026-21962 Exploit Attempt or AI Slop?, (Wed, Jan 28th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>I was looking for possible exploitation of CVE-2026-21962, a recently patched WebLogic vulnerability. While looking for related exploit attempts in our data, I came across the following request:<\/p>\n<blockquote>\n<p><code>GET \/weblogic\/\/weblogic\/..;\/bea_wls_internal\/ProxyServlet<br \/>\nhost: 71.126.165.182<br \/>\nuser-agent: Mozilla\/5.0 (compatible; Exploit\/1.0)<br \/>\naccept-encoding: gzip, deflate<br \/>\naccept: *\/*<br \/>\nconnection: close<br \/>\nwl-proxy-client-ip: 127.0.0.1;Y21kOndob2FtaQ==<br \/>\nproxy-client-ip: 127.0.0.1;Y21kOndob2FtaQ==<br \/>\nx-forwarded-for: 127.0.0.1;Y21kOndob2FtaQ==<\/code><\/p>\n<\/blockquote>\n<p>According to write-ups about CVE-2026-21962, this request is related [2]. However, the vulnerability also matched an earlier\u00a0&#8220;AI Slop&#8221; PoC [3][4]. Another write-up, that also sounds very AI-influenced, suggests a very different exploit mechanism that does not match the request above [5].<\/p>\n<p>The source IP is\u00a0193.24.123.42. Our data shows sporadic HTTP scans for this IP address, and it appears to be located in Russia. Not terribly remarkable at that. In the past, the IP has used the &#8220;Claudbot&#8221; user-agent. But it does not have any actual affiliation with Anthropic (not to be confused with the recent news about clawdbot).\u00a0<\/p>\n<p>The exploit is a bit odd. First of all, it does use the loopback address as an &#8220;X-Forwarded-For&#8221; address. This is a common trick to bypass access restrictions (I would think that Oracle is a bit better than to fall for a simple issue like that). There is an option to list multiple IPs, but they should be delimited by a comma, not a semicolon.\u00a0<\/p>\n<p>The base64 encoded string decodes to: &#8220;cmd:whoami&#8221;. This suggests a simple command injection vulnerability. Possibly, the content of the header is base64 decoded and next, passed as a command line argument?? Certainly an odd mix of encodings in one header, and unlikely to work.<\/p>\n<p>Let&#8217;s hope this is AI slop and the exploit isn&#8217;t that easy. We have seen a significant uptick in requests, including the wl-proxy-client-ip header, starting on January 21st, but the header has been used <a href=\"https:\/\/isc.sans.edu\/weblogs\/headers.html?header=d2wtcHJveHktY2xpZW50LWlw\">before<\/a>. It is a typical exploit AI may come up with, seeing keywords like &#8220;<meta charset=\"UTF-8\">Weblogic Server Proxy Plug-in&#8221;.<\/p>\n<p>I asked ChatGPT and Grok if this is an exploit or AI slop. The abbreviated answer:<\/p>\n<p>ChatGPT: &#8220;<meta charset=\"UTF-8\">This looks\u00a0<strong data-end=\"123\" data-start=\"11\">more like a \u201cscanner\/probe that\u2019s trying to look like an exploit\u201d than a complete, working exploit by itself<\/strong>\u00a0\u2014 but it\u2019s\u00a0<em data-end=\"140\" data-start=\"135\">not<\/em>\u00a0random either. It\u2019s borrowing real WebLogic attack ingredients.&#8221;<\/p>\n<p>Grok: &#8220;<meta charset=\"UTF-8\">This is an actual exploit attempt\u00a0\u2014 not just random &#8220;AI slop&#8221; or nonsense traffic.&#8221;<\/p>\n<p>\u200b\u200b\u200b\u200b\u200b\u200b\u200bGoogle Gemini: &#8220;<meta charset=\"UTF-8\">That is definitely an\u00a0<b data-index-in-node=\"22\" data-path-to-node=\"0\">actual exploit attempt<\/b>, not AI slop. Specifically, it is targeting a well-known vulnerability in\u00a0<b data-index-in-node=\"119\" data-path-to-node=\"0\">Oracle WebLogic Server<\/b>.&#8221;<\/p>\n<p>[1]\u00a0https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-21962<br \/>\n[2]\u00a0https:\/\/dbugs.ptsecurity.com\/vulnerability\/PT-2026-3709<br \/>\n[3]\u00a0https:\/\/x.com\/0xacb\/status\/2015473216844620280<br \/>\n[4]\u00a0https:\/\/github.com\/Ashwesker\/Ashwesker-CVE-2026-21962\/blob\/main\/CVE-2026-21962.py<br \/>\n[5] https:\/\/www.penligent.ai\/hackinglabs\/the-ghost-in-the-middle-a-definitive-technical-analysis-of-cve-2026-21962-and-its-existential-threat-to-ai-pipelines\/<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32662\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Odd WebLogic Request. Possible CVE-2026-21962 Exploit Attempt or AI Slop?, (Wed, Jan 28th) I was looking for possible exploitation of CVE-2026-21962, a recently patched WebLogic vulnerability. While looking for related exploit attempts in our data, I came across the following request: GET \/weblogic\/\/weblogic\/..;\/bea_wls_internal\/ProxyServlet host: 71.126.165.182 user-agent: Mozilla\/5.0 (compatible; Exploit\/1.0) accept-encoding: gzip, deflate accept: *\/* connection: [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-10222","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10222"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10222"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10222\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}